"Organizations should work with providers to understand their security practices and what is applicable to the specific type of offering--but be careful to not rely on dated security questionnaires that don't properly address multitenant SaaS and PaaS offerings."
Organizations in certain verticals must also adhere to regulatory requirements, and they need to ensure those are addressed in the SLA through service provider controls and risk mitigation strategies, says Ely.
"Organizations have options for meeting their regulatory requirements in multitenant environments," he says. "The most common implications to regulatory compliance [are] data residency, export controls and data privacy laws. Risks to these requirements can often be mitigated by encrypting data, monitoring logs provided by the service provider or only storing certain types of data internally."
He adds that governing bodies are just now starting to provide guidance on how regulations are applicable to cloud providers, but in the meantime, many organizations have implemented HIPAA, Safe Harbor, PCI and other regulated processes in multitenant environments.
Ely says that providers have good intentions. However, with a mix of SaaS and PaaS services that include free, inexpensive monthly subscriptions and multiyear enterprise agreements, "not all SLAs are created equal. Better industry definition of terms, responsibilities and standard practices would help organizations make informed choices."
Additionally, he says, organizations should evaluate their needs and the impact to their business if the SLA is not met to determine if a service provider is the right fit. "Working with the provider to understand potential impact,’" says Ely, "will help the organization understand best practices, resource of SLA violation and the risk to their operations."
Learn more about Strategy: Monitoring and Measuring Cloud Provider Performance by subscribing to Network Computing Pro Reports (free, registration required).
